b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      The Office of Research, Analysis, and\n                      Statistics Needs to Address Computer\n                               Security Weaknesses\n\n\n\n                                      September 17, 2008\n\n                              Reference Number: 2008-20-176\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                         September 17, 2008\n\n\n MEMORANDUM FOR DIRECTOR, OFFICE OF RESEARCH, ANALYSIS, AND\n                STATISTICS\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 The Office of Research, Analysis, and Statistics\n                             Needs to Address Computer Security Weaknesses (Audit # 200720032)\n\n This report presents the results of our review to determine whether the Internal Revenue\n Service\xe2\x80\x99s (IRS) Office of Research, Analysis, and Statistics (RAS organization) maintained\n effective security controls over its information systems. This review was included in the\n Treasury Inspector General for Tax Administration Fiscal Year 2008 Annual Audit Plan and was\n part of the Information Systems Programs business unit\xe2\x80\x99s statutory requirement to annually\n review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n Information technology personnel in the RAS organization manage computer systems containing\n a significant amount of sensitive taxpayer data. Users query these systems to obtain enormous\n amounts of taxpayer data. However, these personal data were not adequately secured. Several\n security weaknesses existed on each of the three computer systems we reviewed. These\n weaknesses increase the risks of 1) unauthorized disclosure of taxpayer data that could be used\n for identity theft, and 2) significant disruption to computer operations.\n\n Synopsis\n The RAS organization is the main provider of statistics about the Federal Government tax\n system. It also provides IRS officials with a suite of research tools and comprehensive analyses\n to support management decisions.\n\x0c                        The Office of Research, Analysis, and Statistics Needs to\n                                Address Computer Security Weaknesses\n\n\n\nWe identified several weaknesses over the management of access to the RAS organization\xe2\x80\x99s\ncomputer systems. Managers did not carry out their responsibilities to ensure that 1) users were\nauthorized to access the computer systems, 2) access accounts for former employees and current\nemployees who no longer needed access were removed, and 3) system administrators removed or\nlocked unnecessary generic or shared administrator accounts that provide additional\nopportunities for malicious intruders to gain access to the systems.\nIn addition, password settings did not conform to IRS information security standards. For\nexample, passwords were not always sufficiently complex, passwords were not set to expire after\nthe required length of time, and new users were not required to change their passwords at initial\nlogin.\nUnencrypted sensitive data were transferred between computers. The IRS has developed\nprocedures to limit unsecured services on its networks and was in the process of implementing\nthese procedures during our review. However, the unsecured services were still in use on the\nRAS organization\xe2\x80\x99s computer systems.\nControls to detect inappropriate security events were not effective. Audit log1 data were not\nadequately retained or reviewed on the computer systems. Intrusion detection systems were not\ninstalled and virus protection software was not current. In addition, data received from other\nsources were not scanned with virus protection software before being uploaded to the server.\nThe IRS requires that system backup files be stored offsite. However, offsite storage was not\nused for backup files because the RAS organization had not completed negotiations with the IRS\nModernization and Information Technology Services organization to secure the system backup\nfiles.\nWe also identified database security vulnerabilities within the systems we reviewed. Database\npatching2 was not adequate, access permissions were set incorrectly, password settings were\nincorrect, and the auditing feature was not properly enabled to detect unauthorized activities in\nthe databases.\nOur findings indicate that managers and system administrators had not placed sufficient\nemphasis on maintaining the security and privacy of the taxpayer data they were charged with\nprotecting. In addition, a security officer had not been designated to communicate security\nguidance and monitor compliance with IRS security policies, and software was not available to\nscan for security weaknesses. Until these root causes are addressed, the RAS organization will\nbe unable to effectively manage and secure systems containing taxpayer identifiable information.\n\n\n1\n  An audit log is a chronological record of system activities that allows for the reconstruction, review, and\nexamination of a transaction from inception to final results.\n2\n  A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n                                                                                                                     2\n\x0c                         The Office of Research, Analysis, and Statistics Needs to\n                                 Address Computer Security Weaknesses\n\n\n\n\nRecommendations\nWe recommended that the Director, Office of Research, Analysis, and Statistics, 1) designate a\nsecurity officer to monitor compliance with IRS security requirements and remind managers and\nemployees of their security responsibilities, 2) require system administrators and their managers\nto ensure that all system access controls are followed, and to follow up on identified security\nweaknesses to ensure they are corrected in a timely manner, 3) coordinate with the\nModernization and Information Technology Services organization to implement secure processes\nfor transferring sensitive data between computers, and ensure that scanning software is used to\nperiodically scan the RAS organization\xe2\x80\x99s systems for security weaknesses, 4) implement and\nmonitor a process by which managers validate that system access is limited to only those who\nhave a need, 5) ensure that audit and accountability controls are sufficient by requiring that audit\nlogs are maintained a minimum of 6 years and are reviewed by the security officer, 6) require\nmanagers to ensure that offsite storage is used for system and data backup files, and\n7) coordinate with the Chief Information Officer to verify that intrusion detection systems are\ninstalled to protect all systems and that virus protection software is current.\n\nResponse\nThe Director, Office of Research, Analysis and Statistics, agreed with our recommendations and\ninformed us that many of their corrective actions have already been taken. The RAS\norganization will 1) designate a security officer and require system administrators and their\nmanagers to follow system access controls, 2) follow up on identified security weaknesses and\nensure they are tracked on a Plan of Action and Milestones3 and corrected in a timely manner,\n3) work with the Modernization and Information Technology Services organization to ensure\nthat data files are transmitted securely between computers as soon as an alternate data transfer\nservice is available, and ensure that scanning software is used to periodically scan the systems\nfor security weaknesses, 4) periodically review system access records for all systems to validate\nthat access is granted on a need-to-know basis, 5) retain audit logs for 6 years and require that\nthe newly designated security officer review the audit logs, 6) continue coordinating with the\nIRS Enterprise Operations office to have the system and data backup files stored offsite, and\n7) continue coordinating with the Modernization and Information Technology Services\norganization to install host intrusion detection software and virus protection software on all\n\n\n3\n  A Plan of Action and Milestones, also referred to as a corrective action plan, is a tool that identifies tasks that need\nto be accomplished. It details resources required to accomplish the elements of the Plan, any milestones in meeting\nthe task, and scheduled completion dates for the milestones.\n\n\n\n\n                                                                                                                         3\n\x0c                   The Office of Research, Analysis, and Statistics Needs to\n                           Address Computer Security Weaknesses\n\n\n\nsystems as soon as available. Management\xe2\x80\x99s complete response to the draft report is included as\nAppendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs) at\n(202) 622-8510.\n\n\n\n\n                                                                                              4\n\x0c                            The Office of Research, Analysis, and Statistics Needs to\n                                    Address Computer Security Weaknesses\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          The Office of Research, Analysis, and Statistics Needs to Implement\n          Adequate Security Controls ..........................................................................Page 3\n                    Recommendations 1 and 2: ..............................................Page 9\n\n                    Recommendations 3 and 4: ....................................................... Page 10\n\n                    Recommendations 5 through 7: ................................................ Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Description of the Office of Research, Analysis, and\n          Statistics Suboffices ......................................................................................Page 16\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 17\n\x0c               The Office of Research, Analysis, and Statistics Needs to\n                       Address Computer Security Weaknesses\n\n\n\n\n                            Abbreviations\n\nIRS                  Internal Revenue Service\nRAS organization     Office of Research, Analysis, and Statistics\n\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n\n                                      Background\n\nThe Internal Revenue Service\xe2\x80\x99s (IRS) Office of Research, Analysis, and Statistics (RAS\norganization) is the main provider of statistics about the Federal Government tax system. It also\nprovides IRS, Department of the Treasury, and other Federal Government officials with a suite\nof research tools to conduct comprehensive analyses.\nThe statistical data and analyses provided by the RAS organization allow the IRS to prepare\nstudies, evaluate tax programs and initiatives, and respond to information requests from\nCongress and other stakeholders. Examples of analyses conducted by the RAS organization\ninclude statistics on taxpayers\xe2\x80\x99 voluntary compliance with tax laws, enforcement activities\nconducted by the IRS, and electronic filing trends. During Fiscal Year 2007, various\norganizations made more than 1,700 research requests for data stored on the RAS organization\xe2\x80\x99s\ncomputer systems.\nThe taxpayer data include information obtained from the following major IRS data sources:\n   \xe2\x80\xa2   Individual Master File \xe2\x80\x93 The IRS database that maintains transactions or records of\n       individual tax accounts.\n   \xe2\x80\xa2   Business Master File \xe2\x80\x93 The IRS database that consists of Federal tax-related transactions\n       and accounts for businesses. These include employment taxes, income taxes on\n       businesses, and excise taxes.\n   \xe2\x80\xa2   Audit Information Management System \xe2\x80\x93 The IRS system that processes information\n       related to IRS examinations of taxpayers.\nThe RAS organization is comprised of five suboffices: Office of Research, National Research\nProgram office, Office of Program Evaluation and Risk Analysis, Statistics of Income Division,\nand Office of Servicewide Policy Directives and Electronic Research. A detailed description of\neach suboffice is included in Appendix IV.\nThe RAS organization operates three main computer applications to accomplish its mission:\n   \xe2\x80\xa2   Compliance Data Warehouse \xe2\x80\x93 Provides access to a wide variety of tax return,\n       enforcement, compliance, and other data to support the query and analysis needs of the\n       research community. It captures data from multiple production systems and migrates,\n       transforms, and organizes the data in a way that is conducive to analysis.\n   \xe2\x80\xa2   Statistics of Income Distributed Processing System \xe2\x80\x93 Supports the IRS requirement to\n       annually report to Congress on the numbers and types of tax returns filed and the\n       characteristics and money amounts reported on those returns. The sample data are used\n\n                                                                                             Page 1\n\x0c                        The Office of Research, Analysis, and Statistics Needs to\n                                Address Computer Security Weaknesses\n\n\n\n         by the Bureau of Economic Analysis, the Congressional Budget Office, the Department\n         of the Treasury Office of Tax Analysis, and the Joint Committee on Taxation.\n    \xe2\x80\xa2    YK1 Link Analysis Tool \xe2\x80\x93 Extracts data from an Oracle database that contains selected\n         information from the Individual1 and Business Master File Returns Transaction Files.2\n         The application uses partnership data to show how gains and losses flow through and\n         across all related entities.\nWe focused our review on technical, operational, and managerial controls that should be\nestablished to protect these three applications, which we refer to as \xe2\x80\x9csystems\xe2\x80\x9d in this report. The\nRAS organization employs its own Information Technology function to manage the security over\nits Statistics of Income Distributed Processing System. The security controls for the Compliance\nData Warehouse and the YK1 Link Analysis Tool systems are managed jointly by the\nRAS organization and the IRS Modernization and Information Technology Services\norganization. This arrangement is in contrast to the majority of IRS organizations, whose\ncomputer systems are administered by the Modernization and Information Technology Services\norganization.\nThis review was performed in the RAS organization offices in Washington, D.C., and the\nOgden, Utah, Campus3 during the period August 2007 through April 2008. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objective. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective. Detailed information on our audit objective, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n1\n  Individual Return Transaction File programs receive individual tax return data, reformat, and post returns to the\nReturn Transaction On-Line File. They also do weekly cross-reference maintenance.\n2\n  Business Return Transaction File programs receive business tax return data, reformat, and post returns to the\nReturn Transaction File, and do periodic file maintenance.\n3\n  Campuses are the data processing arm of the IRS. They process paper and electronic submissions, correct errors,\nand forward data to the Computing Centers for analysis and posting to taxpayer accounts.\n                                                                                                             Page 2\n\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n\n                                Results of Review\n\nThe Office of Research, Analysis, and Statistics Needs to Implement\nAdequate Security Controls\nInformation technology personnel in the RAS organization manage computer systems containing\na large amount of sensitive taxpayer data. To accomplish their missions, system users must be\nable to access enormous amounts of taxpayer data. The risk of unauthorized disclosure of these\ndata dictates tight control and close monitoring to ensure that security vulnerabilities are\nidentified and corrected in a timely manner. However, we found significant security weaknesses\non each of the RAS organization\xe2\x80\x99s computer systems reviewed. These weaknesses increase the\nrisks of 1) unauthorized disclosure of taxpayer data that could be used for identity theft, and\n2) significant disruption to computer operations.\nOur findings indicate that managers and system administrators had not placed sufficient\nemphasis on maintaining the security and privacy of the taxpayer data they are charged with\nprotecting. In addition, a security officer had not been designated to communicate security\nguidance and monitor compliance with IRS information security policies, and software was not\navailable to scan for security weaknesses. Until these root causes are addressed, the RAS\norganization will be unable to effectively manage and secure systems containing taxpayer\nidentifiable information.\n\nManagement of access to systems was inadequate\nEach employee and contractor request for access to a system should be authorized by his or her\nmanager using an Information System User Registration/Change Request (Form 5081). Before\nauthorizing an employee or contractor to have access to a system, the manager should ensure that\nthe potential user needs the access to carry out his or her responsibilities and has passed a\nbackground investigation. Managers are also required to annually review their employees\xe2\x80\x99 and\ncontractors\xe2\x80\x99 access rights to ensure that the employees or contractors still need access to the\ncomputer system. As an added control, the IRS requires that systems be configured to disable a\nuser\xe2\x80\x99s account if it has not been used in the last 45 calendar days and to remove the account from\nthe system if it has not been used in the last 90 calendar days. Finally, to ensure accountability,\nsystem administrators who are responsible for maintaining the computer systems must log into\ntheir own unique accounts prior to accessing the systems and performing their duties.\nWe identified the following authorization control weaknesses:\n   \xe2\x80\xa2   System administrators provided access to 67 (11 percent) of 613 employees and\n       contractors on the 3 systems we reviewed without proper authorization from managers.\n\n                                                                                            Page 3\n\x0c\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n               procedures. These control weaknesses increase the risk that an unauthorized or\n               malicious person could gain access to the systems to steal taxpayer information or\n               disrupt operations.\n\nUsers\xe2\x80\x99 passwords did not comply with IRS standards\nTo ensure that employees and contractors are who they say they are, the IRS requires each user\nto have a unique password. The IRS also provides specific requirements for passwords to ensure\nthat they are sufficiently complex so they cannot be easily guessed. Password settings on the\nCompliance Data Warehouse and the YK1 Link Analysis Tool systems did not conform to IRS\ninformation security standards. For the Compliance Data Warehouse system, the passwords\nwere not always sufficiently complex, the passwords were not set to expire after the required\nlength of time, and new users were not required to change their passwords when they initially\nlogin. On the YK1 Link Analysis Tool system, passwords were not set to expire after the\nrequired length of time.\nSystem administrators stated that they were unaware of certain password standards. In addition,\ntheir managers did not provide sufficient oversight to ensure that the administrators were\ncomplying with IRS standards. Malicious users can exploit user accounts with weak password\nsettings to steal taxpayer identities and carry out fraud schemes.\n\nUnencrypted sensitive data were transferred between computers\nThe IRS developed procedures to limit unsecured services on networks. However, these services\nwere still in use. We identified two high-risk, inadequately configured computer services\nrunning on all of the systems. Specifically, the File Transfer Protocol and the Telnet services\nwere used to facilitate remote transfers of taxpayer data and provide remote access to computers\ncontaining taxpayer identifiable information. The use of these two services is widely known in\nthe information technology industry as being insecure because they do not encrypt data\ntransferred between computers.\nThe RAS organization\xe2\x80\x99s Internet web site states that the Compliance Data Warehouse system\nsupports the use of the File Transfer Protocol on a temporary basis, usually for a period not to\nexceed 10 business days. This allows a fast, convenient method for transferring larger amounts\nof data to and from the Compliance Data Warehouse system environment. However, according\nto the IRS information security policy, these types of services should be prohibited.\nThe IRS was in the process of implementing secure methods for transferring sensitive data\nduring our review. However, RAS organization managers had not yet implemented those\nmethods. As a result, the risks of unauthorized access to and disclosure of highly sensitive\ntaxpayer data transmitted between RAS organization systems were increased.\n\n\n\n\n                                                                                               Page 5\n\x0c                     The Office of Research, Analysis, and Statistics Needs to\n                             Address Computer Security Weaknesses\n\n\n\nSystem backups were not stored at an offsite facility\nThe IRS requires that system backup files be stored offsite. However, offsite storage was not\nused for backup files for the systems we reviewed. Previously, the IRS National Headquarters\nhad been selected as the offsite storage facility for the RAS organization\xe2\x80\x99s systems. This\narrangement was terminated after the National Headquarters was damaged by a flood in\nJune 2006.\nDuring our review, the RAS organization was negotiating with the Modernization and\nInformation Technology Services organization to obtain offsite storage. However, the RAS\norganization did not place sufficient emphasis on implementing this security control and the\nnegotiations were not completed. Failure to use offsite storage could result in an inability to\nrecover key data in the event of a disaster.\n\nSystem audit logs were not always retained or reviewed\nIRS procedures state that each computer system is required to collect and review audit log\ninformation at least weekly. Audit logs should be retained for 6 years. An audit log is defined as\na chronological record of system activities that allows for the reconstruction, review, and\nexamination of a transaction from inception to final results. Audit logs are essential in\ndetermining accountability for unauthorized use of or changes to a system, investigating security\nincidents, and monitoring user and system activities.\nAudit logs for the RAS organization\xe2\x80\x99s computer systems were not adequately retained or\nreviewed. For example, audit log data were not adequately retained on the Statistics of Income\nDistributed Processing System. On the YK1 Link Analysis Tool system, audit trail data were\nretained and reviewed. However, administrator actions and configuration changes were not\nincluded in the review. Audit logs for the Compliance Data Warehouse system had been\nretained but were not regularly reviewed.\nThe RAS organization did not designate a security officer to review audit logs and report\nsecurity weaknesses to management. When audit log data are not reviewed, improper activities\ncarried out by external intruders or malicious internal users are less likely to be detected.\n\nIntrusion detection systems were not installed, and virus protection software was\nnot current\nThe IRS recommends use of intrusion detection systems and virus protection software to deter\nand detect unauthorized users from entering or disrupting IRS operations. Intrusion detection\nsystems can inspect all inbound and outbound network activity and identify suspicious patterns\nthat might indicate a network or system is being attacked. Intrusion detection systems were not\ninstalled on the three systems we reviewed. Also, virus protection software was not current on\nthe Statistics of Income Distributed Processing System. In addition, data received from other\nsources were not scanned with virus protection software before being uploaded to the server.\n\n                                                                                             Page 6\n\x0c                        The Office of Research, Analysis, and Statistics Needs to\n                                Address Computer Security Weaknesses\n\n\n\nAlthough this is not a requirement and the data are generally received from trusted sources, the\ndamage that can be caused by viruses and worms on systems containing large amounts of data,\nas in the RAS organization\xe2\x80\x99s systems, indicates the need to scan the data from other sources\nbefore loading the data onto the systems.\nManagers and system administrators had relied on Modernization and Information Technology\nServices organization staff to implement intrusion detection systems and virus protection\nsoftware. However, the RAS organization\xe2\x80\x99s managers and system administrators did not follow\nup to ensure that these controls were implemented. The lack of intrusion detection systems and\ncurrent virus protection software increases the risk that data could be stolen and computer\noperations disrupted.\n\nDatabase scanning revealed numerous high-risk vulnerabilities\nOur review focused primarily on security controls to protect the RAS organization\xe2\x80\x99s computer\nsystems. However, because databases are part of the systems and hackers could gain access to\ntaxpayer data in the databases without entering the systems, we also tested security controls\nspecifically related to the databases. While the security of sensitive taxpayer data is dependent\non the strength and layers of the security controls protecting it, the last and possibly best line of\ndefense is a system of database security controls.\nWe identified the following database security vulnerabilities on all three of the systems:\n    \xe2\x80\xa2   The database administrators did not adequately install updates and patches4 to the\n        databases, as evidenced by our scanning results. Database vendors often discover\n        security weaknesses in their databases after their products are sold to customers. To\n        address the security weaknesses, the vendors issue patches or updates to their customers.\n        When vendors issue security patches, they are acknowledging that their products contain\n        security vulnerabilities that can be exploited. However, issuing patches also notifies the\n        hacker community of potential security vulnerabilities, often causing a race between\n        hackers attacking these vulnerabilities and information technology professionals\n        installing the patches on their systems. The National Institute for Standards and\n        Technology5 states that, \xe2\x80\x9cTimely patching is critical to maintain the operational\n        availability, confidentiality, and integrity of Information Technology systems. However,\n        failure to keep operating systems and system software patched is the most common\n        mistake made by Information Technology professionals.\xe2\x80\x9d6 National Institute for\n\n4\n  A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n5\n  The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n6\n  Creating a Patch and Vulnerability Management Program (National Institute for Standards and Technology\nSpecial Publication 800-40, dated November 2005).\n                                                                                                          Page 7\n\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n       Standards and Technology guidance directs that organizations should regularly check for\n       updates and patches from vendors and apply them in a timely manner, and scan systems\n       to validate whether security patches and software versions are current.\n   \xe2\x80\xa2   The database administrators did not adequately restrict database access permissions. The\n       IRS requires that database access permissions be configured based on the principle of\n       least privilege. Users should be granted the least and weakest privileges needed to\n       perform their duties. For example, some users have the sole need of reading the data.\n       Therefore, the database administrator should configure the database access permissions to\n       ensure that these users cannot delete data or execute powerful database functions. The\n       database administrators did not adhere to the principle of least privilege in granting\n       privileges to the \xe2\x80\x9cPublic\xe2\x80\x9d access permission, which is automatically given to all users\n       during database installation. The excessive privileges granted to the Public access\n       permission could be used to circumvent database security and corrupt the computer\n       system. Users in the Public group could also unintentionally modify or delete database\n       tables that are needed by the systems to generate accurate analyses and statistics.\n   \xe2\x80\xa2   The database administrators did not establish password settings in compliance with IRS\n       standards. They did not establish settings to ensure that 1) default passwords were\n       changed after initial login, 2) the minimum password length was set to the required\n       number of characters rather than zero, and 3) the number of failed login attempts before\n       users were locked out of the system was correct.\n   \xe2\x80\xa2   The database administrators did not properly enable the auditing feature to detect\n       unauthorized activities in the databases. The IRS requires that the auditing feature be\n       active to track user activities within databases.\nThe above vulnerabilities resulted from a lack of attention to security by the RAS organization.\nIn addition, the RAS organization informed us that it does not have database scanning software\nto detect the vulnerabilities we found with our scanning software. Had the RAS organization\nused database scanning software and implemented regular database scanning, these security\nvulnerabilities could have been identified and corrected in a timely manner.\nThe security vulnerabilities we detected provide an opportunity for data stored in the databases to\nbe compromised, which could lead to identity theft or fraud. In addition, employees and\nintruders who gain unauthorized access to the systems and networks can cause major disruptions\nof service affecting productivity.\n\n\n\n\n                                                                                            Page 8\n\x0c\x0c\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n       Management\xe2\x80\x99s Response: The RAS organization agreed with this recommendation.\n       The RAS organization will periodically review Form 5081 records for all systems and\n       use the online 5081 system to validate that system access is granted on a need-to-know\n       basis. In addition, the RAS organization will not grant system access to employees\n       without a favorable background clearance. Because the RAS organization relies on\n       contractors to keep the Compliance Data Warehouse system running and background\n       investigations are taking 6 months or longer to complete, system access will be restricted\n       and Federal employees will closely monitor the work of contractors throughout regular\n       working hours until the contractors receive a favorable background investigation.\nRecommendation 5: Ensure that audit and accountability controls are sufficient by requiring\nthat audit logs be maintained a minimum of 6 years and be periodically reviewed by the security\nofficer.\n       Management\xe2\x80\x99s Response: The RAS organization agreed with this recommendation.\n       Audit logs will be retained for 6 years and the newly designated security officer will\n       review the audit logs.\nRecommendation 6: Require managers to ensure that offsite storage is used for system and\ndata backup files.\n       Management\xe2\x80\x99s Response: The RAS organization agreed with this recommendation.\n       The RAS organization is currently working with the IRS Enterprise Operations office to\n       have the RAS organization\xe2\x80\x99s system and data backup tapes included in the IRS\xe2\x80\x99 offsite\n       storage contract.\nRecommendation 7: Coordinate with the Chief Information Officer to verify that intrusion\ndetection systems are installed on all systems and virus protection software is current.\n       Management\xe2\x80\x99s Response: The RAS organization agreed with this recommendation\n       and is coordinating with the Modernization and Information Technology Services\n       organization and Cybersecurity office to install host intrusion detection software. Virus\n       protection software is being installed on all Windows-based servers and workstations.\n       UNIX servers will have virus protection software installed once the software is purchased\n       and made available by the Modernization and Information Technology Services\n       organization.\n\n\n\n\n                                                                                         Page 11\n\x0c                       The Office of Research, Analysis, and Statistics Needs to\n                               Address Computer Security Weaknesses\n\n\n\n                                                                                                Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS RAS organization\nmaintained effective security controls over its information systems. For the period August 2007\nto April 2008, we evaluated compliance of three systems with specific technical, operational, and\nmanagerial controls required by the National Institute of Standards and Technology1 and the IRS.\nThese three systems were the Compliance Data Warehouse system, Statistic of Income\nDistributed Processing System, and YK1 Link Analysis Tool system. We also reviewed security\ncontrols on the databases within the systems. For any control deemed inadequate, we determined\nwhy and the effect of the inadequate control. To accomplish our objective, we:\nI.      Determined whether key access controls were in place and operating effectively for each\n        of the RAS organization\xe2\x80\x99s systems.\n        A. Determined whether accounts were reviewed at least annually to verify they were\n           needed.\n        B. Determined whether generic, duplicate, or inactive accounts existed.\n        C. Evaluated technical database controls on the RAS organization\xe2\x80\x99s systems.\nII.     Determined whether adequate audit logs were maintained, reviewed, and retained and\n        whether adequate controls existed for ad hoc queries of taxpayer data.\n        A. Determined whether audit logs existed, captured key events, and were being\n           reviewed.\nIII.    Determined whether authentication/password controls were in place and operating\n        effectively.\n        A. Determined whether passwords met Internal Revenue Manual criteria.\nIV.     Determined whether contingency plans existed and were tested for each of the three\n        systems.\n        A. Determined whether system backups were stored offsite.\n\n\n\n\n1\n The National Institute of Standards and Technology, under the Department of Commerce, is responsible for\ndeveloping standards and guidelines for providing adequate information security for all Federal Government agency\noperations and assets.\n                                                                                                        Page 12\n\x0c                         The Office of Research, Analysis, and Statistics Needs to\n                                 Address Computer Security Weaknesses\n\n\n\nV.       Determined whether key personnel controls were in place and operating effectively.\n         A. Determined whether user access privileges were removed from the system upon user\n            termination.\n         B. Determined whether an Information System User Registration/Change Request\n            (Form 5081) had been completed and approved for each system user.\n         C. Determined whether contractors or other third parties with system access had proper\n            approvals and background checks completed prior to being given system access.\nVI.      Determined whether system monitoring tools and security advisories were used.\n         A. Determined whether the systems used intrusion detection systems and virus\n            protection software.\n         B. Determined whether the RAS organization received security advisories, issued alerts\n            to staff, and took action based on alerts (e.g., installing current patches2).\nVII.     Determined whether key certifications, accreditations, and security assessments were\n         properly conducted and updated for each system.\n         A. Evaluated the adequacy of assessments and whether substantive testing was included\n            as part of the assessments.\n         B. Determined whether Plans of Action and Milestones3 were developed and updated.\n         C. Determined whether the accreditation demonstrated adequate support for the\n            accreditation decision.\nVIII.    Determined whether risk assessments and vulnerability scanning were conducted for each\n         system.\n\n\n\n\n2\n  A patch is a fix of a design flaw in a computer program. Patches must be installed or applied to the appropriate\ncomputer for the flaw to be corrected.\n3\n  A Plan of Action and Milestones, also referred to as a corrective action plan, is a tool that identifies tasks that need\nto be accomplished. It details resources required to accomplish the elements of the Plan, any milestones in meeting\nthe task, and scheduled completion dates for the milestones.\n                                                                                                                Page 13\n\x0c                   The Office of Research, Analysis, and Statistics Needs to\n                           Address Computer Security Weaknesses\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nPreston B. Benoit, Acting Assistant Inspector General for Audit (Information Systems Programs)\nStephen Mullins, Director\nAllen Gray, Audit Manager\nMichelle Griffin, Audit Manager\nMichael Howard, Audit Manager\nCari Fogle, Senior Auditor\nMyron Gulley, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\n\n\n\n\n                                                                                      Page 14\n\x0c                   The Office of Research, Analysis, and Statistics Needs to\n                           Address Computer Security Weaknesses\n\n\n\n                                                                            Appendix III\n\n                          Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CIO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Office of Research, Analysis, and Statistics RAS\n\n\n\n\n                                                                                  Page 15\n\x0c                    The Office of Research, Analysis, and Statistics Needs to\n                            Address Computer Security Weaknesses\n\n\n\n                                                                               Appendix IV\n\n     Description of the Office of Research, Analysis,\n                and Statistics Suboffices\n\n1. Office of Research \xe2\x80\x93 Improves tax administration by providing information, analysis, and\n   solutions from an agency-wide perspective and by advocating actions for decision makers.\n2. National Research Program \xe2\x80\x93 Measures voluntary compliance including filing, payment,\n   and reporting compliance.\n3. Office of Program Evaluation and Risk Analysis \xe2\x80\x93 Provides the senior leadership team\n   with accurate and timely analysis of ongoing and proposed IRS programs and investments to\n   support quality, data-driven strategic thinking and decision making across the organization.\n4. Statistics of Income Division \xe2\x80\x93 Collects, analyzes, and disseminates information on Federal\n   taxation for the Department of the Treasury Office of Tax Analysis, Congressional\n   committees, IRS business units in their administration of the tax laws, other organizations\n   engaged in economic and financial analysis, and the general public.\n5. Office of Servicewide Policy Directives and Electronic Research \xe2\x80\x93 Designs and delivers\n   core research tools and services that advance the customer service, compliance, and\n   enforcement priorities of the IRS.\n\n\n\n\n                                                                                        Page 16\n\x0c      The Office of Research, Analysis, and Statistics Needs to\n              Address Computer Security Weaknesses\n\n\n\n                                                      Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                            Page 17\n\x0cThe Office of Research, Analysis, and Statistics Needs to\n        Address Computer Security Weaknesses\n\n\n\n\n                                                      Page 18\n\x0c\x0cThe Office of Research, Analysis, and Statistics Needs to\n        Address Computer Security Weaknesses\n\n\n\n\n                                                      Page 20\n\x0cThe Office of Research, Analysis, and Statistics Needs to\n        Address Computer Security Weaknesses\n\n\n\n\n                                                      Page 21\n\x0cThe Office of Research, Analysis, and Statistics Needs to\n        Address Computer Security Weaknesses\n\n\n\n\n                                                      Page 22\n\x0cThe Office of Research, Analysis, and Statistics Needs to\n        Address Computer Security Weaknesses\n\n\n\n\n                                                      Page 23\n\x0c'